DoS attacks are divided into Distributed DoS (DDoS) attacks launched by a plurality of “zombie systems” and attacks launched by a single system making use of vulnerabilities of the Internet protocols or system. The DDoS attacks launched by a plurality of zombie computers are a type of attack made by the plurality of zombie systems to a single system. The DDoS attacks may be made through normal service requests without making use of the vulnerabilities. Recently, attacks using such normal service requests have been increasing, and thus packet inspection apparatuses (system security apparatuses) suffer from difficulties in separating malicious service requests from normal service requests.
Conventionally, in order to detect the DoS attacks, packets are inspected by comparing the packets with rules one by one, and thus the inspection process can be quite complicated. The rules used for inspecting the packets are divided into rules of inspecting packet headers and rules of inspecting packet contents, i.e., payloads. Generally, a process applying the rules of inspecting payloads is even more complicated due to its complex nature. For example, in order to execute a rule which defines a packet as an attack if a character string ‘attack’ is contained in the payload, the entire payload should be sequentially inspected to determine whether or not the character string ‘attack’ exists. Therefore, the longer the payload is and the more the number of inspection rules to apply, the more complicated the inspection process is. Accordingly, if a large amount of packets flow into the system at one time due to a DoS attack, the time for processing normal packets is extended, and thus an inverse effect of increasing the effect of attack may occur.
The above information disclosed in this Background section is only for enhancement of understanding of the background of the invention and therefore it may contain information that does not form the prior art that is already known in this country to a person of ordinary skill in the art.